I've just setup SSL on the main domain in my whm/cpanel setup, the domain has it's own ip and is all up and running correctly.

However when browsing the site in Chrome I get the following:

Your connection to example.com is encrypted with 256-bit encryption.
However, this page includes other resources which are not secure.
These resources can be viewed by others while in transite and can be
modified by an attacker to change the behaviour of the page.

The connection uses SSL 3.0.

The connection is encrypted using AES_256_CBC, with SHA1 for message
authentication and DHE_RSA as the key exchange mechanism.

The connection is not compressed.

The connection had to be retried using SSL 3.0. This usually means
that the server is using very old software and may have other security
issues.

3 Answers
3

However, this page includes other resources which are not secure.
These resources can be viewed by others while in transite and can be
modified by an attacker to change the behaviour of the page.

Open the Developer Tools panel in Chrome (View -> Developer) and go to the network tab. It will list everything that it's loading. In addition, click on the warnings/errors icons at the bottom right. They'll open the list of errors, including messages such as:

The page at ... displayed insecure content from http://...

Unsafe JavaScript attempt to access frame with URL https://.../ from frame with URL http://.... Domains, protocols and ports must match

Most likely, it will come from frames and contents embedded from ads. Once you've found the "offending" resources in the list in the network tab, the "Initiator" column should give you a clue regarding what's loading them.

The connection had to be retried using SSL 3.0. This usually means
that the server is using very old software and may have other security
issues.

Make sure you have this (in addition to the SSLCipherSuite directive):

In order to avoid that warning, all included elements (images, files, etc.) must use HTTPS connections. View the page source and look for http:// -- it's ok in links to other pages (<a href="...) but not to files (<img src="..., etc.)

Not really, you still have plenty of mixed content, see little red cross next to struck through https. (SSLProtocol all -SSLv2 should be equivalent to` SSLProtocol -SSLv2 +SSLv3 +TLSv1`, by the way or TLS 1.1+ should harm anyway, same for the cipher suites you had except RC4+RSA perhaps.)
–
BrunoJan 15 '12 at 15:41